project-migration

SUSPICIOUS. The skill is mostly coherent for project migration and uses plausible same-org repos for blueprints/state, with no clear credential theft or exfiltration. However, it includes transitive skill installation via `npx skills add`, expanding trust and permissions beyond basic migration, so the overall risk is medium rather than benign.